Linux Today: Linux News On Internet Time.

Flaws Reported in Validated OpenSSL Module v1.1.1

Nov 29, 2007, 18:30 (0 Talkback[s])

"A significant flaw in the PRNG implementation for the OpenSSL FIPS Object Module v1.1.1 (certificate #733, http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm#733) has been reported by Geoff Lowe of Secure Computing Corporation. Due to a coding error in the FIPS self-test the auto-seeding never takes place.

"That means that the PRNG key and seed used correspond to the last self-test. The FIPS PRNG gets additional seed data only from date-time information, so the generated random data is far more predictable than it should be, especially for the first few calls (CVE-2007-5502)..."

Complete Story

Related Stories: